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Abstract 

We obtain explicit formulas for the number of non-isomorphic el- 
liptic curves with a given group structure (considered as an abstract 
abelian group). Moreover, we give explicit formulas for the number of 
distinct group structures of all elliptic curves over a finite field. We use 
these formulas to derive some asymptotic estimates and tight upper 
and lower bounds for various counting functions related to classifica- 
tion of elliptic curves accordingly to their group structure. Finally, 
we present results of some numerical tests which exhibit several in- 
teresting phenomena in the distribution of group structures. We pose 
getting an explanation to these as an open problem. 

1 Introduction 

1 . 1 Background 

Let F q be the finite field of characteristic p with q = p k elements. An elliptic 
curve E over a finite field ¥ q is given by the Weierstrass equation 

y 2 + aixy + a 3 y = x 3 + a 2 x 2 + a A x + a 6 , (1) 
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where the coefficients g^, a 2 , a 4 , a 6 are in ¥ q ; see [3] for a general back- 
ground and see pQ for cryptographic interests on elliptic curves. 

As usual, let E(¥ q ) be the set of F g -rational points on elliptic curve E 
including the point at infinity denoted by O. It is known, see [UEHI], ^ na ^ 
E(¥ g ) is a finite Abelian group with the neutral element O and the cardinality 
of this group satisfies the Hasse- Weil bound as 

\4E{¥ q )-q-l\ <2^. 

It is also known, see [SHU], that the group structure of E(F q ) is expressed 
by the group isomorphism 

E{¥ q ) ~ Z m x Z n , 
where unique integers m, n satisfy 

m | n and m \ q — 1. (2) 

For the prime power q and positive integers m,n, let G(q;m,n) be the 
number of distinct elliptic curves E over ¥ q (up to isomorphism over ¥ q ) such 
that E(¥ q ) ~ Z m x Z n . Moreover, let F(q) be the the number of distinct 
group structures of all elliptic curves over the finite field ¥ q . In this paper, 
we give explicit formulas for G(q;m,n) and F(q), for all prime powers q and 
all possible values of m, n. We use these formulas to derive tight upper and 
lower bounds on F(q) and aslo an asymptotic formula for the average value 
of F(q) on average over prime powers q < Q as Q — > oo. 

Finally, we also present some numerical results concerning the frequency 
of the "most common" group structure over ¥ q , that is, for 

G(q) = maxG(g; m, n). (3) 

n,m 

These results reveal several interesting phenomena in the behaviour of this 
function and also of the parameters m, n and t = p + 1 — ran on which it 
value is achieved. 

Finally, we note the distribution of group structures generated by elliptic 
curves generated by all possibke finite field ¥ q has been studied in [2]. 

1.2 Notation 

Throughout the paper, p always denotes a prime and q = p k always denotes 
a prime power. 
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Let t be an integer such that gcd(t,p) = 1 and t 2 < Aq. Let A = t 2 — Aq 
and let c t be the largest integer such that 

c 2 t | A and A/c 2 = or 1 (mod 4). 

Let s t be the largest integer such that 

s 2 | q + 1 — t and s t \ q — 1. 

We note that s t \ c t . 

For each positive divisor m of s ( , let 

M.tijn) = {e 6 N : m | e, e | c t } 

and 

S t (m)=M t (m)\ |J M(0- 

ieN, l>rn 
m\l, l\s t 

As usual, we use <i(s) and </?(s) to denote the number of positive integer 
divisors and the Euler function of s, respectively. 

Moreover, for every negative integer D with D = or 1 (mod 4) we 
denote by h(D) the class number of some quadratic order of discriminant D. 

The implied constants in the symbols 'O', '<^' and '3>' are absolute. We 
recall that the notations U = 0(V), U <^ V and V ^> U are all equivalent 
to the assertion that the inequality \U\ < cV holds for some constant c > 0. 

2 Our Results 
2.1 Explicit formulas 

For p > 2, let Xp be the quadratic character modulo p. So, for a positive 
integer x, we have Xp( x ) = 0, 1 or —1, if x = (mod p), rr = a 2 (mod p) 
for some a ^ (mod p) or x ^ a 2 (mod p) for all a, respectively. Moreover, 
for p = 2, let XpC^) equals 0, 1 or —1 if x = (mod 2), x = ±1 (mod 8) or 
rr = ±3 (mod 8), respectively. 

Theorem 1. Let q = p k be a power of a prime p. Let m, n be positive 
integers. Let t = q + 1 — mn and A = t 2 — Aq. Then, G(q;m,n), that is, 
the number of ¥ q -isomorphism classes of elliptic curves E over ¥ q such that 
E(W q ) ~ Z m x Z n , equals: 
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1. h > if g C( i(t,p) = 1, t 2 < Aq, m \ n, and m \ q — 1 
ies t {m) ^ ' 

2. h(—Ap), if k is odd, m = 1 and n = q + 1 

3. h{—p), if k is odd, p = 3 (mod 4), m = 2, and n — (q + l)/2 
^. 1, i/ fc zs oc?o? ; p = 2 or 3, m = 1, and n = q + 1 ± v /pg 

5. 1 — x P (— 4), i/ is even, m—1, and n = q + 1 
6.1 — Xp(— 3); i/ ^ even, m—1, and n = q + 1 ± 

7. (p + 6 — 4x P (— 3) — 3x P (— 4))/12, i/ k is even, and m = n = ^fq ± 1 

8. 0, otherwise. 

The following result gives explicit formulas for the number F(q) of distinct 
group structures of all elliptic curves over ¥ q . 

Theorem 2. Let q = p k be a power of a prime p. For the number F(q) of 
distinct group structures of all elliptic curves over ¥ q , we have 

F(q) = d ^ 

tel., t 2 <Aq, 
gcd(t,p)=l 

1 H -, if k is odd, p > 3, 

3 H -, if k is odd, p = 2, 3, 

3 H — Xp(— 3)) if k is even, p > 3, 

k 5, z/ fc is even, p = 2, 3. 

2.2 Estimates and average values 

We now present explicit upper and lower bounds on F(q). 

Theorem 3. Let q = p k be a power of a prime p. For the number F(q) of 
distinct group structures of all elliptic curves over ¥ q , we have 

2n 2 / i\ f 2yg + 2, ifp = 2, 



+ < 



3 



V5(l- p )+%-l)+5>F(,)>J 5 ^/ 1 _^_ 2i !/p£3 
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We also show that the bounds of Theorem [3] are asymptotically tight. 
Theorem 4. When q = p k — > oo via the set of prime powers, we have 

< , F(q) 2vr 2 

1- hmsup — — -y^ = —; 

2. liminf— = 5/ 

VoZ v^(i-Vp) 

F(2 k ) 



3. liminf 

fc^oo 2 fc / 2 

Finally, we derive an asymptotic formula for the average value of F(q). 

Theorem 5. For Q — > oo, when q runs over via the set of prime powers, we 
have 

J>(g) = (0 + 0(1)) ( - 



where 



= - V - . . = 3.682609 
3 m 2 Lp(m) 

m=l v ' 



Our argument can also be used to obtain an explicit bound on the error 
term in Theorem [5] 



3 Preliminaries 

3.1 Endomorphism Rings 

Let E be an elliptic curve over ¥ q of characteristic p. Let N = #E(W q ) and 
t = q + 1 — N. Let 7r denote the Frobenius endomorphism on E, that is given 
by 

7T : (x,y) H> (x q ,y q ). 

We note that, 7r is the root of the characteristic polynomial X 2 — tX + q 
in the ring of Fg-endomorphisms of E\ This ring is denoted by Endf^-E 1 ). 
Moreover, by End(.E') = Endf we denote full endomorphism ring, that 
is, the ring of F g -endomorphisms of E. Let A = t 2 — Aq be the discriminant 
of the characteristic polynomial of E. 
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Suppose gcd(t,p) = 1. Then, E is called an ordinary elliptic curve. We 
have End(-E) = Endw (E). Moreover, End(E') is isomorphic to some order O 
in the quadratic imaginary field K = Q(\/A). In particular, we have 



Z [vr] = Z 



A + VA' 



C End(E) C 



where Ok is the maximal order in K, that is, the ring of algebraic integers 
of K. 

Let c t = [Ok '■ Z[7r]] be the conductor of Z[7r], that is the largest integer 
such that Ajc\ = 0, 1 (mod 4). Then, A^ = A/c 2 , called the fundamental 



discriminant, is the discriminant of the field K. Also, O 



K 



z 



We note that, O = Z + cOk, where the conductor c = [Ok '■ O] is a divisor 
of q. Furthermore, A = c 2 Ak is the discriminant of O, so the order O is 
uniquely determined by its discriminant and denoted by 0(A). We let h(0) 
be the class number of O which is also denoted by h(A). 

Now, suppose p | t. Then, E is called a supersingular elliptic curve. Let 
Qoo,p denote the unique quaternion algebra over Q which is only ramified at 
p and oo. Then, EndF 9 (-E) is either a quadratic order in K = Q(\/A) or 
a maximal order in Qoo,p- Moreover, End(.E) is a maximal order in Qoo,p; 
see [3CE2] or 0. 



3.2 Isogeny calsses 

Two elliptic curves over ¥ q are called isogenous over ¥ q if and only if they 
have the same number of points over ¥ q . The number of F g -rational points 
of the elliptic curve E over ¥ q satisfies the Hasse- Weil bound. On the other 
hand, Deuring-Waterhouse theorem, see p21 E], describes all possible values 
of N that can be the cardinality of E(¥ q ), for some elliptic curve E over ¥ q . 

Lemma 6. Let q = p k be a power of a prime p. Let t G Z and let N = q+l—t. 

The integer N is the cardinality of E(¥ q ), for some elliptic curve E over ¥ q , 
if and only if one of the following conditions is satisfied: 

1. t 2 < 4q and gcd(t,p) = 1 

2. k is odd and t = 

3. k is odd, t = ±y/pq, p = 2 or 3 
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4- k is even, t 



0, p ^ 1 (mod 4) 



5. k is even, t 



±-v/g, p ^ 1 (mod 3) 



6. k is even, t 



±2^q. 



Proof. See PE2JCEI]. 



□ 



Let A be a negative integer with A = or 1 (mod 4) and let c be the 
largest integer such that c 2 | A and A/c 2 = or 1 (mod 4). Let H(A) 
denote the Kronecker class number of A. We have 



Let I(q; N) be the number of distinct elliptic curves E over ¥ q (up to 
isomorphism over ¥ q ) such that #E(F p ) = N. The following lemma gives 
explicit formulas for the values of I(q; N). 

Lemma 7. Let q = p k be a power of a prime p. Let t 6 Z and let N = 
q + 1 — t. Then, I(q;N), that is, the number of ¥ q -isomorphism classes of 
elliptic curves E over ¥ q with #E(F q ) = N, equals: 

1. H(t 2 - 4g) ; ift 2 < 4g and gcd(t,p) = 1 

2. H(-Ap), if k is odd and t = 

3. 1, if k is odd, t = ±^yp~q, p = 2 or 3 

4- 1 — x p (— 4), if k is even, t = 0, p ^ 1 (mod 4) 

5. 1 — x P (— 3), if k is even, t = ±y/q, p ^ 1 (mod 3) 

6. {p + 6 - 4x P (-3) -3x P (-4))/12, if k is even, t = ±2^/q 

7. 0, otherwise. 

Proof. See [H Theorem 4.6]. □ 
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3.3 Group structures 

The group of F^-rational points on the elliptic curve E over ¥ q is isomorphic 
to the group Z m x Z n , with unique integers m, n such that m \ n and m \ q—l. 
We note that, every group Z m x Z n , with integers m, n satisfy later conditions, 
may not occur as the group E(F q ) for some elliptic curve E over ¥ q . The 
following theorem describes the possible group structures for elliptic curves 
over finite fields, see [TO] . 

Lemma 8. Let q = p k be a power of a prime p. Let m, n be positive integers 
with m < n. Let t = q + 1 — mn. There is an elliptic curve E over ¥ q such 
that E(¥ q ) ~ Z m x Z n if and only if one of the following holds: 

1. gcd(t,p) = 1, t 2 < 4q, m \ n and m \ q — 1 

2. k is odd, t = 0, p ^ 3 (mod 4), and m = 1 

3. k is odd, t = 0, p = 3 (mod 4), and m = 1 or 2 
4- k is odd, t = ±^/pq, p = 2 or 3, and m = 1 

5. k is even, t = 0, p ^ 1 (mod 4) ; and m = 1 

6. k is even, t = ±yfq, p ^ 1 (mod 3), and m = 1 

7. k is even, t = ±2^/q, and m = n = ^fq =)= 1. 

We note that, the Case 1 in Lemma [8] corresponds to ordinary elliptic 
curves and the other cases corresponds to suppersingular elliptic curves. 

As usual, we let E[l] be the set of /-torsion points of the elliptic curve E 
over F g , that is, 

E[l] = {P : P G E(¥ q ), IP = 0}. 

We note that, if gcd(/, q) = 1, then 

E[l\ = Z/ZZ x Z/ZZ. 

Lemma 9. Let E be an ordinary elliptic curve over F q . The following are 
equivalent: 

1. m = max{Z : Z G N, gcd(Z,g) = 1, E[l] C E(¥ q )} 
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2. m = max {l : / G N, I \ q — 1, I 2 \ #£(F g ), O (§) C End(£)} 

5. E(¥ q ) ~ Z m x Z n; where m \ n and m \ q — 1. 

Proof. We recall, [H Prposition 3.7], that for all positive integers / with 
gcd(Z, q) = 1, we have E[l] C £(F g ) if and only if Z | q - 1, / 2 | #E(W q ) and 
(f?) Q End(E). Therefore, the descriptions of m in Cases 1 and 2 are the 
same. 

Moreover, for all positive integers / with gcd(7,g) = 1, we have E[l] ~ 
x Z/. Suppose E(¥ q ) ~ Z m x Z n , where m | n and m | q — 1. Then, for 
all / with gcd(7,g) = 1, we have E[l] C ^(F^) if and only if / | m. Hence, 
Cases 1 and 3 are also equivalent. □ 

We recall the definition of the numbers q and St and of the sets St(m) 
given in Section [1} 

Lemma 10. Let E be an ordinary elliptic curve over¥ q . Assume that m,n 
are positive integers with m \ n, m \ q — 1 and mn = #E(F q ) — q + 1 — t. 
Then, we have E(¥ q ) ~ Z m x Z„ if and only if 

End(E) = O (^j 

for some I G St(m). 
Proof. We note that 

End(E) = O 

where / is some positive divisor of q. By assumption, m is a divisor of St. 
^From Lemma [9j we have E(F q ) ~ Z m x Z n if and only if m is the largest 
divisor of St satisfying O Q End(E') = O (||). The latter is equivalent 
to have / G S t {m) which completes the proof. □ 

3.4 Primes in arithmetic progressions 

For a real z > 2 and integers s > r > we denote by n(z; s,r) the number 
of primes p < z such that p = r (mod s). 

An asymptotic estimate of the number of primes in arithmetic progres- 
sions is given by the Siegel-WalGsz theorem, see [3| Theorem 1.4.6]. 
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Lemma 11. For every fixed A > there exists C > such that for z > 2 
and for all positive integers s < (\ogz) A , 



max 

gcd(r,s)=l 



liz 



O (zexp (^—C\/\og, 



where 



liz 



du 
logw 



4 Proofs 

4.1 Proof of Theorem [T] 

We note that G(q; m, n) ^ if and only if m, n satisfy one of the cases given 
by Lemma |8} So, we study the nonzero number G(q; m, n) for the possible 
values of m, n as follows. 

For Case 1, we assume that gcd(t,p) = 1 and t 2 < Aq. From Lemma |8j 
we see that G(q; m,n) ^ if and only if m | n and m | q — 1. So, let 
m, n be positive integers satisfying the latter conditions. From Lemma [ToJ 
for all elliptic curve E over ¥ q , we have E(¥ q ) ~ Z m x Z n if and only if 
End(E) = O(jz) for some / G S t (m). We also note that, all orders O(p) whit 
/ G S t (m), will occur as the endomorphism ring of some elliptic curves over 
F q , see p21 Theorem 4.2]. Moreover, the number of F q isomorphism classes of 
elliptic curves with End(E) = 0(f) is h (£) (e.g. see H2J Theorem 4.5]). 
Therefore, we have 

G(q; m, n) = h 

For Case 2, we have t = 0. Moreover, G(q;m,n) with m = 1 is the 
number of cyclic supersingular elliptic curves over F q with trace (up to 
Fg-isomorphism), that is, h(—4p), see [TJ Lemma 4.8]. 

For Case 3, we have t = and g = 3 (mod 4). Also, G(q;m,n) with 
m = 2 is the number of non-cyclic supersingular elliptic curves over F q with 
trace (up to F g -isomorphism). This is H(—4p) — h(—Ap) = h(—p). 

For other cases, we have t 2 = q, 2q, 3q, 4g. Also, all supersingular elliptic 
curves in the corresponding isogeny class are cyclic. Then, G(q; m, n) with 
m — 1 is the isogeny class number given by Lemma [7j So, the proof of 
Theorem [l] is complete. 
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4.2 Proof of Theorem H 



The possible group structures of elliptic curves over ¥ q are the groups iso- 
morphic to Z m x Z n , for some values m,n described by Lemma [8j For an 
integer t, let f(q; t) be the the number of distinct group structures of elliptic 
curves over ¥ q with the trace t. Let t be a positive integer with \t\ < 
From Lemma [8| we consider the following cases for t. 

1. Suppose gcd(t,p) = 1. Let N = q + 1 — t. Then, the g roup Z m x Z^, 
for positive integers m, n with m < n, is the group structure of some 
elliptic curve E over ¥ q with trace t if and only if m | n, m | q — 1 
and rrm = iV. This is equivalent to have m 2 | N, m \ q — 1 and 
mn = N. As before, let s t be the largest integer such that sf \ N and 
s t | q — 1. Therefore, there is a one to one correspondence between the 
group structures of ordinary elliptic curves over ¥ q with the trace t and 
positive integer divisors of s t . So, 



f(q;t) = d(s t ) 



(4) 



if gcd(t,p) = 1. 



Suppose t | p. Then, we may have t 2 /q 
we see that 



0, 1, 2, 3 or 4. From LemmaK 



/(g;*) 



l - 
l - 



i-xp(-i) 

2 

Xp(-1) 



2 

X P (-3) 



1. 

1 - 



if k is odd, t = 0, 

if A; is odd, p = 2 or 3, t 2 = pq. 

if A; is even, p ^ 2, t = 0, 
if A; is even, p = 2, t = 0, 



(5) 



1. 
1. 
0. 



if /c is even, p ^ 3, t 2 

if /c is even, p = 3, t 1 
if is even, t 2 = 4g, 
otherwise. 



q, 



Now, we sum up g(q; t) over all possible integer values of t. We have 

teZ, t 2 <4g 

Using (|4]) and ([5]), we obtain the explicit formulas for F(q). 
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4.3 Proof of Theorem [3] 

Let % q be the set of integers of the Hasse-Weil interval, that is, 
H q = {N : N G N, q - 2^ + 1 < N < q + 2^ + 1} . 



We recall, from the proof of Theorem [2j that for every N G H q with gcd(iV — 
l,p) = 1, there is a bijection between the set of group structures of isogenous 
elliptic curves E over ¥ q with order N and the set of positive divisors m of 
q — 1 with m 2 \ N . 

For a positive integer divisor m of g — 1, let m) be the number of 
distinct group structures Z m x Z n of elliptic curves over F 9 for some n G N. In 
other words, g(g; m) is the cardinality of the set of positive integers n where 
there exists some elliptic curve E over ¥ q with E(W q ) ~ Z m x Z n . Clearly, 
we have 

F (q) = 9(T,m). (6) 

m\q— 1 

Here, we express g(q;m) by counting the number of multiples of m 2 in 
1-L q . For a positive integer divisor m of g — 1, let 



H g (m) = {iV : iV G ft,, gcd(iV -l,p) = 1, 



m 



iV} 



^From the proof of Theorem [2] and by Lemma |8j for all positive divisors m 
of q — 1, we have 



g(q;m) = #H q (m) + 5 q 



m) 



(7) 



where 



r i. 



S q (m) 



1 + 

3, 

i-x P ( 



Xp(-3), 



if fc is odd, p 7^ 2, 3, m = 1, 

if fc is even, p ^ 2, 3, m = 1, 
if p = 2 or 3, m — 1, 

if is odd, m = 2 

if is even, m = */q ± 1, 
otherwise. 



Next, using (|6| and ([7]), we obtain 



F{q)= #H 9 (m) + ^(m). 

m\q— 1 



(8) 
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We note that j^H. q = 2 [2-y/g] + 1. Moreover, for all divisors m of q — 1, if 
m > \fq + 1 then ^T-L q (m) = and if m < ^fq + 1, then 









m 2 




m 2 p 



- 1 < #H g (m) < 



< 


[ 4 V^~ 








m 2 




m 2 p 



+ 1 



and so, 



P 



2 < #ft 5 (m) < 



V 



m 



(9) 



To obtain an upper bound for F(q), we write 



E 

m\q— 1 



E # H « 



E #n q (m)+ E 



rn\g— 1, 
m<y/q— 1 



m|g— 1, 
/(J— l<m< v /g+l 



m|g— 1, 



< 



m|q 

One can see that, 



ilg— 1 mlq— 1. mlo— 1, 



m 



i.|c/— 1, m|g— ] 

m<^Jq— 1 l<m<\/g+l 



E #«,h + E w ^ 5 - 

m\q— 1 



m|g-l, 

/g— l<m<^/q+l 



Then, from d8|), we have 



F(g)< 4v ^(l-iW-l + %-l) + 5 



27T 2 



P 



1-- +d(g-l)+5. 



Now, we provide the lower bound for -F(g). If p = 2, using ([8]), we write 
F(q) > + E 5 «( m ) > l 2 V0\ + 3 > 2^ + 2. 

m\q— 1 

For p > 3, using ([8]), we write 

F(q) > + #H 9 (2) + E *ffM- 

m\q— 1 
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We see from d9|) that 



V? ( 1 i 

Moreover, one can see that 



#H g (m)> — 

77T \ p 



#H g (2) > Vg (1 - i 

if q = 1 (mod 4). From ([7]), we have 

E ^( m ) ^ L 

m\q— 1 

Furthermore, 

m\q— 1 

if g = 3 (mod 4). Therefore, 



#ft 3 (2) + e s «( m ) > ^( 1 'l) 

m\q— 1 



which completes the proof. 

4.4 Proof of Theorem [H 

To prove the result of Case 1, let us choose a sufficiently large integer L, and 
let M be the least common multiple of all positive integers m < L. 

We now choose a prime p = 1 (mod M) and put q = p. Using ([6]) and Q 
we derive 



F(V) > E ^ m ) = E ^(95 m ) = E + 

m\q— 1 

Since by (|9]) for q = p we have 



m\q— 1 m<L m<L 

m<L 
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we now derive 



m<L ' m<L 

= 4^f^- + 0(l/L)\+0(L). 

Since by the prime number theorem we have 

q>M> exp((l + o(l))L) , 
taking L — > oo we obtain 

F{q) = + o(l)) V? = (x + ^ (* - p) 

for the above sequence of g = p. 

For Case 2, we recall a result of Heath-Brown [3], which asserts that 
there are infinitely many primes p such that either p = 2£ + 1 for a prime 
£ or p = 1i\i2 + 1 for a primes £1,^2 — P a f° r some a > 1/4 (one can take 
a = 0.276 . . ., see the proof of [5j Lemma 1]). Using ^ and we see that 
for each such prime p and q = p we have 

Jfy) = E 0(?;™) = E (#^H + o(i)) 

m\q— 1 m\q— 1 

= #H 9 (1) + #H 9 (2) + 0(1)=5 V ^ + 0(1) 



5Vff(l-£)+0(l). 



Finally in Case 3, we recall that if q = 2 r , where r is prime then all prime 
divisors £ of q — 1 satisfy £ = 1 (mod r) (since r is the multiplicative order 
of 2 modulo £, thus r \ £ — 1). In particular for any m \ q — 1 with m > 1 we 
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have m > r. Hence, as before, and also recalling d9|), for q = 2 r we obtain 



F(q) = Yl + 



m|q— 1 
m>l 



\ 



J2 {q 1 ^ 2 + 1) 



, m\q— 1 
\ m>l 



/ 



= #^(l) + 0U 1 / 2 ^m- 2 + %-l)j 

= #7^(1) + (g^Qogg)- 1 + d(g - 1)) = (2 + o(l)) g 1 / 2 
which concludes the proof. 

4.5 Proof of Theorem [5] 

Since there are 0(Q 1 ^ 2 ) prime powers q = p k < Q with k > 2, using the 
upper bound of Theorem [3] we obtain 



J>(g) = 5>(p) + 0(Q). 

g<Q p<Q 

We see from (J8J) that 

f(p) = *Vp E A + 

m\p— 1 

We recall the well-known estimate on the divisor function 

d(s) = s o(1) , s ->■ oo, 
see [U Theorem 317]. Thus 

5>(p) = ^V~pJ:^ + o(q^) 



(10) 



(11) 



p<Q 



P<Q m\p— 1 



m<Q P<Q 

p=l (mod m) 
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By Lemma 11 , and partial summation, we see that for m < log Q we have 



p<Q 
p=l (mod m) 



2 + o(l)V^ 
' ip(m) 



+ (i; 



g 3 / 2 



<^(m) logQ 



Furthermore, for m > log g we use the trivial estimate 



E v^<q 1/2 E 1 = W 2 ™- 1 )- 



p=l (mod m) 



2<n<Q 
n=l (mod m) 



Therefore 

5>(p) 

p<Q 



+ o(l) 
+ o(l) 



g 3 / 2 
io g g 



E ^r^ + °^ 3/2 E ™~ 3 1 

^— ' m z tp[m) \ z — ' / 

i<logQ \ m>logQ / 



(I+« i ))S?s4o +o( ^ (log0) " I) 



logg ^— ' m 2 (p(m 
which together with (10) concludes the proof. 



5 Distribution of the Most Frequent Group 
Structures 

5.1 Preliminaries 

Here we present some numerical data concerning the values of G(q) given 
by (J3| and also about the values of m and n at which these values are 
achieved. Furthermore, we concentrate here on prime values q = p. 
First of all we note that for any N we have 

E G(p;m,n) = I(p;N), 

m,n>l 
mn=N 

where as before I(p; N) is the number of distinct isomorphism classes of 
elliptic curves E over ¥ p (up to isomorphism over F p ) such that #E(F P ) = N 
(see Lemma [7]). In particular 

max J(p; N)/d(N) < G{p) < maxl(p; N). (12) 
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It is well-known that the bounds on the Kronecker class number imply 
that 

I(p; N) <C p 1 ^ 2 log p ( log log p) 2 

and for all N E [p + 1 — p 1 ^ 2 ,p + 1 + p 1 ^ 2 } but maybe at most two of them, 
we have 

J(p; N) > p 1/2 /\ogp, 



see, for example, [HI Proposition 1.9]. Thus, recalling (11), we derive from 



the inequalities (12) that 

G(p) = p V2+ (i). (13) 

5.2 Numerical data 



We see that from (13) that it is natural to study the values of G(p) scaled 
by p x l 2 . In fact, our experiments with 41538 primes p < 500, 000 show that 
scaling by p 1 ^ 2 logp is more natural and the ratio G(p)/p 1 ^ 2 \ogp stabilises in 
a reasonably narrow strip between roughly 0.1 and 0.2, see Figure [T] 



Figure 1: Distribution of G(p) /p 1 ^ 2 \ogp for primes p < 500, 000. 

We also notice that for all primes checked the value of G(p) is always 
achieved for (m,n) with m — 1 (that is, for curves with cyclic group of 
points). Moreover, for some primes the same value is also achieved for some 
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pairs (m,n) with m = 2. In our experiments the value of G(p) has never 
been achieved with m > 3. 
We also compare G(p) with 

I(p) = max/Qo; N), 

see Figure [2] 
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0.5 
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0.5 1 1.5 2 2.5 3 3.5 4 4.5 5 

x 10 5 

Figure 2: Distribution of G(p)/I(p) for primes p < 500, 000. 

For primes p < 500,000, where we have computed G(p)/I(p) this ration 
has achieved 1 for p2, 5, 7, 17, 29, 41, 101, 1009, 1109, 1879, 4289, where G(p) 
and I(p) are achieved with the same value of t with St = 1. Also, only 
four times (for p = 37591,187651,246391,397591) the value of G(p)/I(p) 
has been below 0.5. Unfortunately these extreme values of both types are 
invisible on Figure [2] We do not know whether these primes are just some 
sporadic exceptions or whether there are infinitely many such primes. More 
generally, it is certainly interesting to evaluate or at least obtain nontrivial 
theoretic estimates on 

limsupG(p)//(jo) and lim inf G(p) j I(p) . 

p— >oo p— s>oo 

This may also help to explain the presence of several horizontal lines on 
Figure [2] (slightly emphasised there to improve their visibility). 
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Clearly, one expects that the value of G(p) is achieved for (m, n) for which 
t = p + 1 — N, where N = mn, is small, so that A = t 2 — Ap has a large 
absolute value which leads to a large value of I(p; N). However this is offset 
by the fact that for iV having many divisors so the value of I(p; N) is "split" 
between d(s t ) values of G{p;m,n). This effect is observed in the numerical 
results which are presented below, which show that if G(p; m, n) = G(p) then 
t = p + 1 — mn is small but not necessary very small. In particular, most 
of the time G(p) and I(p) are achieved on different values of t, namely in 
about 82.2% of the cases within the above range of primes p (more precisely 
for 34158 primes out of the total number of 41538 primes p < 500,000). 
Furthermore, it seems that the remaining 7380 cases in which G(p) and I(p) 
are achieved on the same value oft, are the ones that mainly (but not entirely) 
responsible for the presence of horizontal lines on Figure § Indeed, the same 
lines are clearly visible on Figure [3] where the ratios G(p)/I(p) are plotted 
only if they come from the same value of t. 
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Figure 3: Distribution of G(p) / I(p) achieved on the same value of t for primes 
p < 500,000. 

We also summarise this in Table [T] which gives the number of points on 
horizontal lines on Figure [2] and Figure [3] (ordered by the the total number 
of points). 

Let 

T max (p) = {t : t =p + l- mn, G(p; m,n) = G(p)} , 
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Ration G(p)/I{p) 


Number of 
on Figure |2 


Drimes 


Number of 
on Figure |3 


crimes 


1/2 


2933 


2931 


2/3 


2300 


1968 


3/5 


1287 


883 


4/7 


1236 


1012 


6/11 


329 


220 


5/8 


292 


1 


8/15 


268 


161 


3/4 


258 


139 


12/23 


71 


32 


17/26 


45 


1 


16/31 


39 


19 


45/68 


28 


1 


28/47 


15 


1 


1 


11 


11 



Table 1: Rations of G(p)/I(p) for primes p < 500, 000. 



that is, for each p, T max (p) is the set of the traces corresponding to the 
most "popular" group structures. In Table [2] we give some data about the 
distribution of #T max (p) for primes p < 500, 000. In particular #T max (p) = 1 
in about 52% of the cases. 



#7^ ax (p) 


Number of primes 


1 


21638 


2 


19087 


3 


230 


4 


524 


5 


19 


6 


36 


7 


3 


10 


1 



Table 2: Distribution of #T ma , x (p) for primes p < 500, 000. 

We also remark that the set T m &x(.p) is symmetric around (that is, 
7max(p) = — TJnaxG )) for 20020 primes out of the total number of 41538 
primes p < 500, 000. 
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Figure ^ presents the scaled values tjp 1 ! 2 , where t G T max , for primes 
p < 500,000. 
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Figure 4: Distribution of -4=, where t G T max , for primes p < 500, 000. 

VP 

As we have mentioned, we do not have any solid theoretic explanation to 
the observed facts. There is certainly more to investigate here, numerically 
and theoretically, in order to understand the behaviour of G{p; m, n). 
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